
Most small business owners believe one of two wrong things about the Privacy Act: either that the under-$3 million exemption still makes the whole subject someone else’s problem, or that the exemption has already been abolished and they are somehow non-compliant today. The truth as at July 2026 sits precisely between them. The blanket exemption has not been repealed, but it is being dismantled around the edges: individuals can now sue directly for serious invasions of privacy regardless of your turnover, penalties for covered entities reach $50 million, and from 1 July 2026 more than 100,000 small businesses, accountants, lawyers, conveyancers, real estate professionals and others, lost the exemption for a slice of their data handling through a law most of them have never read. This guide lays out what is in force, what is dated, what is still only proposed, and the right-sized compliance baseline that makes all of it manageable.
Published: July 2026
Australia’s privacy overhaul is arriving in staggered pieces, which is exactly why businesses miss the piece with their name on it.
Finance and professional-services SMEs should treat privacy as an operations control alongside BAS and payroll, not a policy PDF on the website. Scale Suite builds those controls into standing finance services and people and HR support delivery for clients who cannot staff a compliance function. Start with the OAIC APP guidelines and the Notifiable Data Breaches scheme.
Strip the noise and coverage in July 2026 resolves into four groups.
Covered regardless of turnover, always were: health service providers holding health information, businesses that trade in personal information, credit reporting bodies, and Commonwealth contractors. Plenty of small allied health, medical and wellness businesses have been fully covered for years without realising it.
Covered from 1 July 2026 for AML/CTF data handling: the newly designated professions above. The coverage is activity-scoped, it attaches to the personal information collected and used for AML/CTF purposes such as client identification and verification, but the practical effect for a small accounting or conveyancing practice is that Privacy Act disciplines, collection notices, security, breach response, now sit inside the client onboarding process itself, supervised by the OAIC alongside AUSTRAC.
Exposed regardless of coverage: every business, through the statutory tort. The tort is not an APP compliance regime, but it is a live litigation risk attached to reckless handling of private information, and it applies to the exempt corner store as much as the covered corporation.
Still exempt for now: the general under-$3 million business outside the categories above, for whom the APPs remain voluntary until tranche two arrives, and for whom the sensible posture is deliberate preparation rather than either panic or complacency.
A hypothetical business advisory practice turns over $2.7 million, employs 12 staff, and from 1 July 2026 is a reporting entity for AML/CTF purposes. It is still under the general small business threshold for many activities, but client identification documents collected for AML now sit inside Privacy Act handling for that activity. The firm needs collection notices in onboarding, security around ID documents, retention discipline, and a notifiable breach plan. The partner who assumed “we are under $3 million so privacy does not apply” is wrong for the highest-risk data the firm holds. Budget a half-day data map, a real privacy policy, and multi-factor authentication across mail and file systems before the next client pack is issued.
If the firm also uses offshore processing capacity, cross-border rules stack on top. Read the architecture test in the hiring offshore finance staff guide and treat access control as a privacy control, not an IT nice-to-have.
For every covered entity, and for every business that intends to be ready before it is compelled, the notifiable data breaches scheme is the obligation with a clock on it. Where a data breach is likely to result in serious harm to individuals, the entity must notify the OAIC and the affected individuals; where a breach is merely suspected, the entity has 30 days to assess whether it is notifiable. Thirty days sounds generous until it is day three of a live incident, the laptop is gone or the inbox is compromised, and nobody knows what data was in scope because nobody ever mapped it.
The scheme is why breach response cannot be improvised. The working parts are a data map (what personal information exists, where it lives, who can touch it), a written response plan naming who assesses, who decides and who notifies, and an evidence habit, because a business that assessed a suspected breach promptly and documented its reasoning is in a categorically different position from one that hoped the problem away. Small firms newly covered through the AML route should note that their client identification records, identity documents and verification data, are precisely the high-harm category the scheme was built around, and that the AML rules themselves push toward retaining minimal verification details rather than hoarding document copies.
A hypothetical practice loses a staff laptop containing unencrypted copies of 80 client identity packs. Even if encryption and remote wipe limit the actual harm assessment, legal advice, client communication, potential OAIC engagement and insurance excesses can still run $15,000 to $50,000 before any claim or complaint multiplies the cost. The control that would have reduced that figure, full-disk encryption, MFA, no local ID copies, costs a few hundred dollars and a process change. Privacy spend is cheap next to privacy failure.
Full enterprise privacy programs are the wrong tool for a twelve-person business. The right-sized baseline is seven items, most of them one-time builds with an annual review, and together they cover today’s obligations, the December dates and the direction of tranche two.
None of this is exotic, and all of it compounds: the same data map that satisfies a regulator shortens a cyber insurance application, and the same offboarding discipline that protects privacy protects the bank account. Building and maintaining that baseline, alongside the AML onboarding machinery the same firms are implementing this year, is exactly the kind of structured, unglamorous compliance work an embedded finance and HR team carries so owners are not reading exposure drafts at night. Pair privacy hygiene with payment controls covered in ordinary internal controls for small business practice, and keep employee records tidy as part of employee onboarding discipline.
If you are fully covered (health, trading in personal information, Commonwealth contractor, or turnover over $3 million), run the full baseline now and budget for OAIC-grade process, not a template policy alone.
If you are activity-covered for AML, prioritise collection notices, ID security, retention minima and breach response for verification data, then extend the same hygiene to the rest of the client file.
If you are still generally exempt, still implement the baseline because of the statutory tort, customer expectations, cyber insurance and the direction of tranche two. Preparation is cheaper than a rushed retrofit when the exemption finally moves.
Use the ATO compliance health check as a parallel discipline reminder: privacy is not tax, but both reward documented process over improvisation.
Does the Privacy Act apply to my small business in 2026?
If turnover is under $3 million, the blanket exemption still stands unless you fall into a covered category: health service providers, businesses trading in personal information, Commonwealth contractors, and, from 1 July 2026, businesses providing AML/CTF designated services such as accounting, legal, conveyancing and real estate work, for their AML-related data handling.
Has the $3 million small business exemption been removed?
No. Its removal is part of the proposed second tranche of reforms, which the government has confirmed it is progressing but has not introduced as a Bill and has not dated. The exemption is being eroded at the edges, most materially by the July 2026 AML expansion, but the blanket repeal is direction, not law.
What changed on 1 July 2026?
The AML/CTF regime expanded to accountants, tax and BAS agents, lawyers, conveyancers, real estate professionals, trust and company service providers and dealers in precious metals and stones. Those businesses became reporting entities, and the Privacy Act now applies to their handling of personal information for AML/CTF purposes regardless of turnover, with OAIC guidance and template notices available.
Can someone sue my exempt small business over privacy?
Yes, under the statutory tort in force since 10 June 2025, which allows individuals to sue for serious, intentional or reckless invasions of privacy and does not depend on the small business exemption. It is the reason careless handling of private information is now a litigation risk for every business, covered or not.
What are the penalties under the reformed Act?
For covered entities, serious interferences with privacy carry penalties up to $50 million, three times the benefit obtained or 30 per cent of adjusted turnover, whichever is greatest, with mid-tier penalties below that and infringement notices up to $66,000 for administrative failures such as a non-compliant privacy policy.
What is the notifiable data breaches scheme in practice?
Covered entities must notify the OAIC and affected individuals of breaches likely to cause serious harm, and must assess suspected breaches within 30 days. Meeting the clock requires a data map, a written response plan and documented assessments, none of which can be built mid-incident.
What is due on 10 December 2026?
Automated decision-making transparency, privacy policies must disclose where computer programs make or substantially inform decisions significantly affecting individuals, and the OAIC’s Children’s Online Privacy Code for services likely to be accessed by minors.
What should an exempt SME actually do now?
Run the half-day data audit, publish an honest privacy policy, write the one-page breach plan, tighten security basics, and diarise an annual review. It is a modest build that covers the statutory tort exposure today, positions the business for the December dates, and turns the eventual tranche two into a non-event.
Do employee records still get an exemption?
The employee records exemption still covers many employer acts relating to their own staff records, but it is not a free pass for TFNs, third-party providers, or reckless disclosures that engage the statutory tort. Treat staff data with the same security hygiene as client data.
Is a privacy policy alone enough compliance?
No. A policy that does not match practice is a liability. The policy is one control inside a set that includes the data map, access control, retention, breach plan and annual review.
Scale Suite is a Sydney-based provider of outsourced finance teams and fractional CFO services for Australian SMEs. We deliver weekly bookkeeping, payroll, BAS/IAS lodgement, cashflow reporting, management accounts, and strategic fractional CFO oversight, all as a fully embedded team that works inside your business.
CA-qualified, Xero Certified, and registered BAS Agents, we replace fragmented bookkeepers and once-a-year accountants with one responsive finance function at a fraction of the cost of full-time hires. We serve growing businesses across Sydney, Melbourne, Brisbane, and Perth, with packages starting from $1,500 per month and no lock-in contracts.
Visit Scale Suite | View Our Finance Services | View Our HR Services | Get Your Free Proposal
We review and check this guide periodically. At the time of writing (July 2026), all information was current. Scale Suite is a registered BAS Agent, not a licensed tax advisor or financial advisor. This content is general information only and does not constitute professional tax, financial, or legal advice. Some details may change over time.
Scale Suite is a Sydney-based provider of outsourced finance and HR services for Australian SMEs. We deliver bookkeeping, financial reporting, payroll processing, fractional CFO support, recruitment, employee onboarding, people and culture support, and fractional HR oversight, all as a fully embedded team that works inside your business.
Employment Hero Gold Partner, CA-qualified, and Xero Certified, we replace fragmented finance and HR processes with one responsive, senior-level function at a fraction of the cost of full-time hires. We serve growing businesses across Sydney, Melbourne, Brisbane, and Perth, with packages starting from $1,500 per month and no lock-in contracts.
30 minutes with our team.
We'll review your current finance setup, compare the full cost of an internal hire against our embedded team, and show you exactly what your finance function should cost at your stage of growth.
You'll leave with a clear view of what's working, what's missing, and where you'd save.
No lock-in contracts. 30-day money-back guarantee.
Prefer to book directly? Grab a time here.

